cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ericgeater
Community Champion

On the other side of privilege removal

I'm about to amicably leave my current employer.  My accounts are tied to several resources.  I would prefer to be locked out of everything upon separation, but this is unrealistic.  I would be satisfied to be locked out of all external connectivity.

For reasons I cannot explain easily, I'm certain this will not occur on my request.  But I feel like I am entitled to the nonrepudiation which a lockout would provide.  Have any of you faced the desire of remaining blame-free upon separation?  How did you convey this importance when leaving

--
"A claim is as good as its veracity."
12 Replies
Steve-Wilme
Advocate II

All those things were in place, however our new CIO took the unfortunate view that everything to do with security was "absolutely delusional" and could therefore simply be ignored; a bit like staying within the IT budget (also ignored) and regulatory compliance (also ignored).  When you get to the point where half the IT department leaves in a 3 month period and isn't replaced due to a CIO, the problem probably is beyond fixing.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
CISOScott
Community Champion

When you have a toxic CIO like that, you need to cover your rear. That is why I like to send emails that "recap our earlier conversation"  to make sure I "understood your intent".  Then if they try to throw it back in your face I can refer to our previous conversation that "I emailed you about". As the system owner the CIO has every right to "accept the risk" of any decision they want to make and as the CISO I have the right and responsibility to ensure that any "risk they are willing to accept" is fully documented in a risk acceptance document. It is also my duty to fully inform the CIO/Senior management of the risks of their decisions and if they (CIO) or senior management is willing to accept the known risks I have presented to them, I document it and get them to sign it. I make sure I have emailed it to them to sign and return to me. If they refuse to sign it, I send a couple of follow up emails so that I have it documented that I made every reasonable attempt to get them to sign it. That way I am as protected as I can be.

 

If senior management is OK with a toxic CIO, I then ensure my resume is up to date and I start looking for jobs with intense focus.

Steve-Wilme
Advocate II

After 9 months of doing as you suggested I took the latter option and found another job.  Once you've lost a critical mass of staff you're not going to make headway anyhow.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS